Your telehealth platform reported a breach
Video, audio, transcripts, chat, and screen-shared documents may have been exposed. Consent, recording, and OCR scope all matter — and patients react more strongly to telehealth breaches because the visit feels personal.
The first hour
- 1Get the vendor's incident notification in writing — email or letter, not a phone call. It must include discovery date, breach window, data categories, patient counts attributable to your practice, and the vendor's notification posture.
- 2Pause any telehealth visits scheduled in the next 24 hours unless the vendor has confirmed the platform is secure. The decision to resume is yours.
- 3Pull the BAA. Note the incident-notification clock, patient-notification responsibility assignment, and recording-handling clauses.
- 4Inventory affected sessions: pull the visit log from the platform for the breach window. Flag sessions involving screen-shared PHI, recorded interpreter services, or clinical content in chat.
- 5Notify your cyber insurance carrier with the vendor's written notification attached. Telehealth breaches often qualify under both cyber and professional-liability lines.
- 6Decide whether to notify patients on your own initiative or wait for the vendor. Patients are calmer hearing from their doctor's office than from a vendor they may not recognize.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- Vendor's written breach notification (email + PDF) with timestamps.
- Your signed BAA and any amendments.
- Visit log export from the platform covering the breach window.
- List of sessions where PHI was screen-shared or exchanged in chat.
- Entry in your security incident log — required under the HIPAA Security Rule and the most common documentation gap OCR cites in small-practice investigations.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- HHS OCR Breach Portal
- HHS Breach Notification Rule guidance
- State AG breach notification (varies by state)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Did the vendor record our sessions?+
It depends on the platform and your configuration. Three questions shape your notification scope: did the vendor record sessions; are the recordings in the breach scope; and did you ever screen-share PHI (labs, imaging, an EHR view) during sessions. Get written answers from the vendor before you draft the letter.
Whose obligation is patient notification — ours or the vendor's?+
By default, the covered entity. Some BAAs shift it to the BA. Even when the BA notifies, OCR can still come back to you. If the vendor will notify, confirm in writing that they have started and ask for the language they will use.
Is our telehealth consent enough?+
Often not. Many practices use a generic in-person consent. Telehealth consent should specifically address recording (whether, where stored, retention), interpreter participation, and the patient's right to refuse telehealth. Update it as part of this incident's remediation.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.
Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.